SCADA
CVE-2026-25894
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
AnalysisAI
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
Technical ContextAI
CWE-321 hard-coded JWT secret. Similar to CVE-2025-69971 but in a newer version range.
RemediationAI
Update FUXA. Generate unique JWT secrets.
ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application
ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by in
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA managemen
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL inje
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unaut
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerabilit
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA ser
A remote code execution vulnerability in Honeywell Experion PKS and OneWireless WDM (CVSS 9.4). Critical severity with
FUXA SCADA/HMI software has an additional authorization bypass vulnerability enabling unauthenticated access to industri
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-T
LCDS LAquis SCADA through 4.3.1.1085 is vulnerable to a control bypass and path traversal. Rated high severity (CVSS 7.8
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-32cc-x95p-fxcg